Thread: pf config error
View Single Post
  #4   (View Single Post)  
Old 30th August 2009
Stellar Stellar is offline
Port Guard
 
Join Date: Aug 2009
Posts: 26
Default

relax man... ,sory i wass asleep for 2 days lol,didn't see when i paste into the ssh client it has some wrong terminated string,thx worked as your advice,here is the config,any advice for redundant rules elimination?,need help to make the security more tight(block port scanner/syn stealth scan?)
Code:
#### First declare a couple of variables ####
### Outgoing tcp / udp port ####
### 43 - whois, 22 - ssh ###
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"
 
#### define tables. add all subnets and ips to block
table <blockedip> persist file "/etc/pf.blockip.conf"
 
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
 
### admin server ranges ###
adminrange = "192.168.1.101"
 
# connected to internet
ext_if = "em0"
 
##### ftp proxy
#proxy="127.0.0.1"
#proxyport="8021"
 
#### Normalization
#scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
scrub in all
 
#### NAT and RDR start
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
 
# redirect ftp traffic
#rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
 
# Drop incoming everything
block in log (to pflog0) all
block return 
 
# keep stats of outgoing connections
pass out log(all) keep state
 
# We need to have an anchor for ftp-proxy
#anchor "ftp-proxy/*"
 
# unlimited traffic  for loopback and lan / vpn
set skip on {lo0, $ext_if}
 
# activate spoofing protection for all interfaces
block in quick from urpf-failed
 
#antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log (to pflog0) for $ext_if
 
#Block RFC 1918 addresses
block drop in log (to pflog0)  quick on $ext_if from $martians to any
block drop out log (to pflog0) quick on $ext_if from any to $martians
 
# Block all ips
# pfctl -t blockedip -T show
block drop in log (to pflog0)  quick on $ext_if from <blockedip> to any
block drop out log (to pflog0) quick on $ext_if from any to <blockedip>
 
# allow outgoing
pass out log(to pflog0) on $ext_if proto tcp to any port $tcp_services
pass out log(to pflog0) on $ext_if proto udp to any port $udp_services
 
# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
 
# Allow admin to get into box
pass in log(to pflog0) on $ext_if from $adminrange to any
 
# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh  flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##
attached below,anyway got other problem the pflogd seem writing into /var/log/pflog but strangely the pf cann't pass the log into pflog0 interface as defined on rules.it just nothing happened on pflog0 when iam using tcpdump
my interface
Quote:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33204
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:07:9b:68
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 192.168.1.88 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fe07:9b68%em0 prefixlen 64 scopeid 0x1
enc0: flags=0<> mtu 1536
priority: 0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33204
priority: 0
groups: pflog
pftop just 0
Quote:
pfTop: Up State no entries, View: default, Order: none, Cache: 10000 16:23:05

PR DIR SRC DEST STATE AGE EXP PKTS BYTES
runned the pf,and checked it's not displayed in process list???
Quote:
# ps -aux | grep pf
root 5525 0.0 0.0 612 392 ?? Is 3:17PM 0:00.00 pflogd: [priv] (pflogd)
_pflogd 2219 0.0 0.0 676 308 ?? S 3:17PM 0:00.06 pflogd: [running] -s 116 -i pflog0 -f /var/log/pflog (pflogd)
root 32108 0.0 0.2 1616 1888 p0 T 4:05PM 0:00.01 pftop
root 22696 0.0 0.2 1604 1908 p0 T 4:23PM 0:00.01 pftop
Attached Files
File Type: conf pf.conf (2.7 KB, 83 views)
Reply With Quote